If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I'm guessing the "arp -a on windows" issue is because of airbase-ng. Not 100% sure mind you.

I can't confirm because hostapd is not working.

airbase-ng is kind of broken? There is a fix?

Does the target have a gateway IP? DNS?

Yes.

I don't understand what you're saying about about "WPATARGET".
The fakeAP you created was called "Free-WiFi", "WPATARGET" is scanning for networks (hence its probing). [So yes, the ESSID are different?]
The fakeAP you create is "Open", I have no idea if "WPATARGET" is protected.

Sorry, it's more like a general wireless hacking question, not completely related to the outputs above.

I mean, I configured the fake AP to answer to all probes. I want to compromise the network called WPATARGET, my fake AP will answer when someone ask for WPATARGET (I see this on the logs).

However, the real WAPTARGET has WPA protection and my fake AP is OPEN. So my question is, the real clients (my victims) any how will connect to my fake (OPEN) WPATARGET? Or no way, since the original use encryption (WPA).

I mean, assuming the target clients use Windows Zero configuration and has WPATARGET saved.

No, it's not a well known error (first I've hear of it!).
I'll have a look into it. (I missed it when I was doing 127, I'll try and find a fix for my next release)

Originally Posted by rick.m

So, I can't be in a place where a lot of wireless network is in use? There is a workaround?

I dunno if that is the issue (the mass of wireless networks!), it's a bit hard for me to test this in my lab as well...
Some how I cant see it being an issue, but it's a possibility of why its not working anyway...
The only "fix" I could think of right now, would be to use different hardware/drivers and or hostapd. But I really don't know. Just guessing.

Originally Posted by rick.m

Why VM is bad? Because of performance? What do you recommend?

It's recommend not to use VM mainly because of performance, does also have a few odd issues.
Personally, airbase-ng works ALOT better if used in a real install over VM. Hostapd is the same in both.
I Recommend doing a real into of backtrack! (If you can install direct onto the HDD, else a USB stick)

Originally Posted by rick.m

See, I tried hostapd, but if failed very ugly, see below please.
*CODE*
Ideas?

That MAY be a bug. Not sure. I'll have a look into it as well

Originally Posted by rick.m

airbase-ng is kind of broken? There is a fix?

Yes, airbase-ng does have a few issues - thought this is mainly compatibility issues with your hardware/drivers.
The best fix - get another wifi card . If you cant for whatever reason, change how your running backtrack.

Originally Posted by rick.m

Yes.

Yes?
What are you saying yes to?

Originally Posted by rick.m

I mean, I configured the fake AP to answer to all probes. I want to compromise the network called WPATARGET, my fake AP will answer when someone ask for WPATARGET (I see this on the logs).

However, the real WAPTARGET has WPA protection and my fake AP is OPEN. So my question is, the real clients (my victims) any how will connect to my fake (OPEN) WPATARGET? Or no way, since the original use encryption (WPA).

I mean, assuming the target clients use Windows Zero configuration and has WPATARGET saved.

Thanks a lot and congratulations for good work.

fakeAP_pwn isn't YET meant to compromise another wifi, its planned - just not fully coded yet. Just....too "many moving part" at the mo that need fixing before that happens...

As far as I know, Windows Zero configuration is different in XP to Windows Vista/7. It behaves different. Which OS is your target running?

Anyway, back to your main question. I'm going to need a bit more information from you, for example - the output from -d, and the tmp/ folder etc. What is your network setup? What hardware? Software? etc etc,..

Re: [Script] [Video] fakeAP_pwn (v0.3)

When do you expect fakeAP to be able to compromise another wifi AP?

That is what you need to capture the WPA key for a network if you do not want to use dictionary attack. I am testing the ability to create a fakeAP to replace a current one and see if I can then knock off the connected machines and have them connect instead to my fakeAP and enter there WPA key so I can capture it. I have read that you can setup airbase to look like its WPA or wpa 2 encripted but then accept any passphrase to allow connection. Woundnt that be better for your wpa key finder approach in FakeAP then to setup a fake webpage and wait for the user to install the update. It would be much easyer to get the WPA key that is for sure.

Re: [Script] [Video] fakeAP_pwn (v0.3)

Originally Posted by 00diabolic

When do you expect fakeAP to be able to compromise another wifi AP?

That is what you need to capture the WPA key for a network if you do not want to use dictionary attack. I am testing the ability to create a fakeAP to replace a current one and see if I can then knock off the connected machines and have them connect instead to my fakeAP and enter there WPA key so I can capture it. I have read that you can setup airbase to look like its WPA or wpa 2 encripted but then accept any passphrase to allow connection. Woundnt that be better for your wpa key finder approach in FakeAP then to setup a fake webpage and wait for the user to install the update. It would be much easyer to get the WPA key that is for sure.

Have you tried to set it up like that?

Compromise another wifi AP is planned for v0.7.However, in another project I'm currently coding, wiffy - is able to do a fakeAP attack. (It's in beta at the mo).

For the record, you'll still going to need to do a dictionary attack, its just a different method of getting the handshake.The pass-phase is still going to be sent salted, not in plain text.

Re: [Script] [Video] fakeAP_pwn (v0.3)

Compromise another wifi AP is planned for v0.7.However, in another project I'm currently coding, wiffy - is able to do a fakeAP attack. (It's in beta at the mo).

For the record, you'll still going to need to do a dictionary attack, its just a different method of getting the handshake.The pass-phase is still going to be sent salted, not in plain text.

Yes, I've tired that - however its not going to be added till v0.7.

Ahh ok.. damn so even if they send the WPA key it will be like capturing the handshake and doing a standard dictionary attack? No real benefit to it? Or does this capture reveal more of the key like its length or something for example?

If you have that kind of ability to have them connected to your fake ap you would think you could get the key with no fuss.

Maybe running a app to infiltrate there system is necessary after all. There WPA key is stored under network properties under the ESSID.

Re: [Script] [Video] fakeAP_pwn (v0.3)

Originally Posted by pentest09

A nice little phishing attack serve it up from webserver on bt? bit like login phishing neat idea. No need for a host banning you

Keep up the good work
regards dee

well im redoing the whole thing with jquery & ajax
there will be client-side and server-side validation, output to .txt file with ip & passphrase
also we can write commands to php file to check if the passphrase is correct.
We are now talking of using 3 wifi cards.

Re: [Script] [Video] fakeAP_pwn (v0.3)

Originally Posted by joker5bb

well im redoing the whole thing with jquery & ajax
there will be client-side and server-side validation, output to .txt file with ip & passphrase
also we can write commands to php file to check if the passphrase is correct.
We are now talking of using 3 wifi cards.